CVE-2022-31131 — Improper Authentication in Security-advisories

CWE-287 — Improper Authentication CWE-639 — Authorization Bypass Through User-Controlled Key2 documents2 sources

Severity

4.3MEDIUMNVD

CNA5.4

EPSS

0.2%

top 64.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Security-advisories Nextcloud Mail

Timeline

PublishedJul 6

Description

Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/nextcloud_mail< 1.12.2

▶CVEListV5nextcloud/security-advisories< 1.12.2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Ownership check missing when updating or deleting mail attachments in Nextcloud mail↗2022-07-06

▶